Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

The company I work for currently has an 'individual risk assessment' form used for invidividual staff members who disclose an injury or medical condition etc. to decide upon activities the individual may be unable to perform, or if as a result of the injury or health condition they are taking any medication that may affect their ability at work or serious side affects we need to be aware of.

I am looking to update this, but cannot find anything online to help me do so. Do any other companies have a form like this?

Definitely OH. You also have to be extremely careful how you develop and implement this. This is a massive area for GDPR and you as a Safety practitioner should not even have access to such medical records.

Go back to your HR and explain the significance of GDPR with regards to this issue. You can plan, organise for the OH to come visit, but the results and how those are kept should not be in your domain.

I've completed one for a member of staff that had Addison's disease. It was done in conjunction with the person's specialist and provided details of the individual, the symptoms associated with the condition, the tasks undertaken and risk reduction procedures in place (in the person's case the main issue was driving between locations so they wore a medical identification bracelet, kept a supply of oral medication and an injection kit in the car with simple instructions plus had to inform staff when they had set off and when arrived etc).

I made sure the specialist had checked through it and agreed everything I'd written then got the person and her specialist to sign it. We then reviewed after 6 months internally then annually. We also had a debrief if the person reported any incidents relating to her condition to check that the assessment was still valid and that there was nothing we'd missed or any new symptoms that we needed to consider.

The person has since left the organisation as it was a few years back (before GDPR legislation!)

Hope this helps...

Edited by user26 March 2019 16:00:03(UTC)
| Reason: added an extra line

This is a massive area for GDPR and you as a Safety practitioner should not even have access to such medical records.

1) There is no such thing as "GDPR" under UK law - the EU General Data Protection Regulation was enacted as the Data Protection Act 2018.

2) The OP was talking about an individual RA based upon medical/health circumstances NOT the individuals medical records.

3) As the companies competent person why shouldn't the H&S bod have communication regarding health issues - different approaches exist dependent upon the size/nature of a business and the arrangements they choose to set in place. In my organisation I receive the summary surveillance reports from OH to act upon (including re-scheduling individuals who were "unfit" for certain tests on the day e.g. due to a cold) - in a previous employment they went to the MD who then sought management team advice.

You still have to read the GDPR and DPA 2018 side by side or you'll fall foul of it.

The company's competent person is ok to have some oversight on medical issues but that should come from the HR department.

The summary is not a full medical I agree but it is still a subject that needs the uttermost sensitive touch. I worked in a lead manufacturing site and the OH carries out blood samples every month. All I am allowed to see is the results but again, I am not at liberty to discuss that with the IP until the HR sent letters to them advising them on cause of action i.e. not doing certain activities which may increase their blood/lead count.

Do whatever you feel is right for you but medical information should be treated with the sensitivity it deserves and there are valid reasons for that.

The same company have a branch in Germany and they are not even allowed to take blood samples according to their law. Until we leave the EU officially, GDPR and DPA 2018 SHOULD be read side by side.

Only if your organisation operates in more than one EU member state and you have the responsibility for implementation of Data Protection across all borders.

UK business = UK legislative act or Statutory Instrument which may include interpretation of European Directive or adoption of European Regulation.

Not all businesses are arranged in the same manner - many do not have an HR person let alone a function - so you should not assume what is normal for you applies anywhere else.

Care to enlighten the forum with the full list of all EU legislation that MUST be read side by side with its UK equivalent? Your comments indicate I, and probably many others, have serious omissions to address in the "certified as meeting the requirements of.. management systems" externally audited legal registers.

In the UK the DPA applies. GPDR does not and hopefully in the future will not.

H&S Laws overrides the DPA where it is applicable.

Data is stored for a reason. If the reason for its storage is H&S related, then the H&S practitioner has a legitimate reason to see it, including medical records. Trust me: working in health and social care as a safety practitioner, I am furnished with the most confidential information when I need to see it, often to keep people safe. For example, I may need to see a person’s criminal conviction or mental health assessment to keep our staff safe when working with or supporting them.

Outwith some exceptions, I do-not believe we should be conducting risk assessments on people (or person specific risk assessments). For one reason RA are to subjective, for another its not right and proper to risk rate a person per se.

OT, HR, GP’s, Healthcare and Safety Practitioners should work together to ensure the safety of people whilst at work. This attitude that it is someone else’s responsibility (OH referral) is a cause for concern. We should be more joined up in these matters and I see this as a multi-disciplinary function. Think about the staff member being battered form pillar to post.

You still have to read the GDPR and DPA 2018 side by side or you'll fall foul of it.

The company's competent person is ok to have some oversight on medical issues but that should come from the HR department.

The summary is not a full medical I agree but it is still a subject that needs the uttermost sensitive touch. I worked in a lead manufacturing site and the OH carries out blood samples every month. All I am allowed to see is the results but again, I am not at liberty to discuss that with the IP until the HR sent letters to them advising them on cause of action i.e. not doing certain activities which may increase their blood/lead count.

Do whatever you feel is right for you but medical information should be treated with the sensitivity it deserves and there are valid reasons for that.

The same company have a branch in Germany and they are not even allowed to take blood samples according to their law. Until we leave the EU officially, GDPR and DPA 2018 SHOULD be read side by side.

I believe you fail to understand the law.

If you company is conducting blood sampling for Lead, assumedly its under the The Control of Lead at Work Regulations, regulation 10 (medical surveillance). This is a H&S matter and under data protection laws it should be the qualified safety person that received the results, is able to act upon the results and take appropriate action from the results. It’s not until this stage HR may need to be involved to write to the staff member advising them the cause of action from the results, if needed. The H&S practitioner should understand ST and LT exposure levels , lead concentration levels in both males and females and understand the control measures that may be needed to manage/control the risk/s.

Under data protection laws HR have no legitimate reason to receive OH results, because the tests have been undertaken under H&S law and not HR law. Do HR understand, biological monitoring, a woman’s reproductive capacity, urinary lead concentration, that records must be kept for 40 years? – don’t think so.

I totally agree with you that “medical information should be treated with the sensitivity it deserves and there are valid reasons for that”, but it is critical that the right person sees the information for the proper legitimate reason/s. E.g. H&S professional receiving/accessing OH records where these are required by H&S law, i.e. CLWR, CNWR, COSHH etc.

This is the conundrum isn't it. I agree the HS personnel should receive and interprete the result but the DPA 2018 itself contracts that slightly. So the original results go to the HR, who forward it to the HS person, who then do what with it?

If the HS person email is hacked and the data gets compromised, what happens then? This needs careful review in my opinion. I never did understood why the results should come straight to myself at the time either. However, it was the company's policy so I adhered to it.

Totally get what you are saying about the HS person having the right knowledge etc. However, the HR team can equally be trained to identify those with high or low results and communicate effectively with them as per company's policy. I still will not agree to having the raw data sent to the HS person. Let it go to HR, who communicate to the IP, then HR will let the HS person know who needs what.

This is the conundrum isn't it. I agree the HS personnel should receive and interprete the result but the DPA 2018 itself contracts that slightly. So the original results go to the HR, who forward it to the HS person, who then do what with it?

Date Protection laws are precise as to the reason why data is being retrieved, used, stored and destroyed. In you example the data being retrieved is for H&S purposes and H&S Law, i.e. CLWR. So no – the DPA does not contradict why you are retrieving the data.

Lead presents a specific hazard that often needs specialist advise for its control. The specialist advice normally comes from the safety practitioner and not HR people. So, I would expect the safety bod to know exactly what to do with the results of the OH tests.

I remember auditing a large organisation whereas OH skin examinations and lung function tests went directly to the HR department. They duly filed the results in the employees HR files. During the audit, after eventually convincing the HR people as an auditor that I had a legitimate reason to see the results, I had unearthed that a number of the spray painters had low lung function test results and one had a chronic respiratory disease. The OH results had identified these issues over a number of years but because the HR
people simply filed the results, they went un-noticed, despite the large red text on the assessments suggesting the employees visit their GP’s as a matter of urgency.

Outwith some exceptions, I do-not believe we should be conducting risk assessments on people (or person specific risk assessments). For one reason RA are to subjective, for another its not right and proper to risk rate a person per se.

I totally agree. One question though. If you turn it around and you don't risk-rate the person, surely you can rate the risks tothe person. My wife works in a special school, with some of the most autistic young people who can suddenly turn very very violent (in an instant). She is always coming home covered in bruises and scratches, gets punched and kicked like a boxers bag (using team-teach doesn't take all the danger away and she's good at it, she is a team teach tutor). The young person has a care plan, which includes information about the violent possibilities to help keep staff safe, but the RA's are done on the task (working with violent students) not the individual. So you can still risk assess. (I think- she's not here to ask, I will update if not)

I remember auditing a large organisation whereas OH skin examinations and lung function tests went directly to the HR department. They duly filed the results in the employees HR files. During the audit, after eventually convincing the HR people as an auditor that I had a legitimate reason to see the results, I had unearthed that a number of the spray painters had low lung function test results and one had a chronic respiratory disease. The OH results had identified these issues over a number of years but because the HR
people simply filed the results, they went un-noticed, despite the large red text on the assessments suggesting the employees visit their GP’s as a matter of urgency.

As a matter of interest were you performing an external audit and did that large organisation have access to their own nominated safety advice?

I was conducting an audit as an external consultant. The organisation also had external H&S advisers.

The problen was that the policy was good, in that OH survelence was being conducted and that the results were filed in the persons HR records. The failing was that the HR person didnt alert anyone (including the employee) that an issue had been identified.

but going back to the post....there isn't a lot of general reasource available to help you...some are in ergonomics some are in toxicology and others in clinical guidance...hence having the support of a medical professional to assist in the assessment...you can provide the wrokplace judgement

I am not sure how you (as an H&S bod) can (as Dave says) manage the risk to a person if you are not allowed to see any medical information relating to that person. If it is established that, for example, an individual is at particular risk of an asthma due to a chemical used in a process; do you stop doing that process even though only one employee out of many is affected? You could insist that everybody takes precautions even though only one person needs them. In the case of PPE, how will you persuade people to wear it if it is not for their benefit?

Sometimes Health and Safety has to be personalised and that means you need personal information.

RebbekahT i dont often reply on here as often there are too many that go off in tangents. I dont see any issue with indivual risk assessments nd neither does HSE, infact they encourage risks to be assessed in PEEP's, managing ULD's, preganat workers, etc etc.

In terms of access to personal data, as far as I am aware the DPA/GDPR regs are trumped by H&S regulations, so there should be no problem with getting access to this information. Others may disagree.

I use the same risk assessment format for this type of risk assessment as I do for all other risk assessments. As for DPA / GDPR , I wouldn't worry too much about them. As others have said health and safety takes priority. The company has a duty of care to protect the employee. Also providing a medical practitioner has certified them fit for work you'll be fine.

I am not sure how you (as an H&S bod) can (as Dave says) manage the risk to a person if you are not allowed to see any medical information relating to that person. If it is established that, for example, an individual is at particular risk of an asthma due to a chemical used in a process; do you stop doing that process even though only one employee out of many is affected? You could insist that everybody takes precautions even though only one person needs them. In the case of PPE, how will you persuade people to wear it if it is not for their benefit?

Sometimes Health and Safety has to be personalised and that means you need personal information.

Quite right, so the way I think you can approach it is if you identify a potential hazard (in your example an asthmagen) then the RA can be considered in the planning for the activity and the question asked "does anyone suffer from asthma?" and if the person responds positively (or the care plan identifies a condition) then controls can be put in place. You would not stop the activity for one person.

What surprised me, however, was that in a school environment sometimes the activity would be removed if one person could not take part, not on H&S grounds but due to inclusion policy as it was judged unfair to one not to be included. Not always an easy choice.

I do the risk assessments for individuals based on their applicability under the Equality Act 2010. For example, someone with diabetes might need more breaks to eat at regular intervals, someone with Crohns or UC may need to be closer to the toilet or may suffer from excessive fatigue, someone with back problems may need an external ergonomic assessment and specialist equipment. I ask the person in advance if they're happy to have their risk assessment done by me and then for them to furnish me with details of their specific illness/type so I can read these in advance of the meeting to get a better understanding.

Most people, I have found, are more than happy to share this information in the hopes of getting better understanding and support from their employer. We then discuss their specific issues, what the doctor and consultant say and how we can best help them.

The whole lot is written on a dynamic risk assessment form and sent to the HR Department and the employee. The employee's Manager is then sent a document outlining the changes that will be required to accommodate the employee under the Equality Act but with no further detail. The master risk assessment will be kept on a confidential file that I hold and we revisit it every 6 - 12 months to ensure that everything is still the same.

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.